From owner-freebsd-stable@FreeBSD.ORG Wed Nov 22 14:50:01 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C2E6316A4A0 for ; Wed, 22 Nov 2006 14:50:01 +0000 (UTC) (envelope-from zanchey@ucc.gu.uwa.edu.au) Received: from asclepius2.uwa.edu.au (asclepius2.uwa.edu.au [130.95.128.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id E352743D49 for ; Wed, 22 Nov 2006 14:48:45 +0000 (GMT) (envelope-from zanchey@ucc.gu.uwa.edu.au) Received: from panacea.kas (localhost.localdomain [127.0.0.1]) by panacea.uwa.edu.au (Postfix) with SMTP id 156844CDAD for ; Wed, 22 Nov 2006 22:49:03 +0800 (WST) Received: from panacea (localhost.localdomain [127.0.0.1]) by panacea.prekas (Postfix) with ESMTP id 9DDAC4CDBE for ; Wed, 22 Nov 2006 22:49:02 +0800 (WST) X-UWA-Client-IP: 130.95.13.9 (UWA) Received: from mooneye.ucc.gu.uwa.edu.au (mooneye.ucc.gu.uwa.edu.au [130.95.13.9]) by panacea.extinput (Postfix) with ESMTP id 5C7884CD9C for ; Wed, 22 Nov 2006 22:49:02 +0800 (WST) Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801) id 4E34A3685D; Wed, 22 Nov 2006 22:49:02 +0800 (WST) Received: from mussel.ucc.gu.uwa.edu.au (mussel.ucc.gu.uwa.edu.au [130.95.13.18]) by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTP id 2C36E3685B; Wed, 22 Nov 2006 22:49:02 +0800 (WST) Received: from zanchey (helo=localhost) by mussel.ucc.gu.uwa.edu.au with local-esmtp (Exim 3.36 #1 (Debian)) id 1GmtPK-0007W4-00; Wed, 22 Nov 2006 22:49:02 +0800 Date: Wed, 22 Nov 2006 22:49:01 +0800 (WST) From: David Adam To: Gerrit =?ISO-8859-1?Q?K=FChn?= In-Reply-To: <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> Message-ID: References: <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Anti-Virus: Kaspersky Anti-Virus for MailServers 5.5.10/RELEASE, bases: 22112006 #230087, status: clean X-SpamTest-Info: Profile: Formal (738/061122) X-SpamTest-Info: Profile: Detect Hard [UCS 2006-10-25] X-SpamTest-Info: Profile: SysLog X-SpamTest-Info: Profile: Marking Spam - Subject (UCS) [2006-10-25] X-SpamTest-Status: Not detected X-SpamTest-Version: SMTP-Filter Version 2.0.0 [0125], KAS/Release Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zanchey@ucc.gu.uwa.edu.au List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Nov 2006 14:50:01 -0000 On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K=FChn wrote: > On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy > wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: > > > MH> I'm a bit unsure about it myself. > MH> I tried exactly what you suggested, putting files on the compat line > MH> and before nis for both passwd and groups on the NIS slave server > MH> only, and no go. Perhaps it is the master server that actually > MH> controls this? I don't know. Any further advice would be greatly > MH> appreciated. > > Sorry to disturb, but I don't understand why you distribute the server's > root pw via NIS at all. Is it really shown by "ypcat passwd" on the > client? If so, how about removing it from the list of exported accounts? That's a really good point. When you consider the inherent insecurity of NIS, having a root password in the maps is a pretty bad plan anyway. Given my vague handwaving at PAM, and the fact that the OP probably has NIS as sufficient above pam_unix, the obvious solution if my unverified assertions are correct is to remove the root password from the NIS maps. David Adam zanchey@ucc.gu.uwa.edu.au